Security tool for considering multiple security contexts

ABSTRACT

An apparatus includes a memory and a hardware processor. The memory stores a first profile and a first hash. The processor receives a first message indicating that the user has entered a building and updates the first profile to produce a second profile. The processor generates a second hash, calculates a first deviation between the second hash and the first hash, and determines that the first deviation is below a threshold. The processor receives a second message indicating that the user has requested access to a software application and updates the second profile to produce a third profile. The processor also generates a third hash, calculates a second deviation between the third hash and the first hash, determines that the second deviation is above the threshold, and in response, flags the user for increased security monitoring and denies the user access to the software application.

TECHNICAL FIELD

This disclosure relates generally to security.

BACKGROUND

Malicious users jeopardize the security of buildings, devices, andnetworks.

SUMMARY OF THE DISCLOSURE

Malicious users jeopardize the security of buildings, devices, andnetworks. These users may attempt to access buildings, devices, andnetworks to sabotage systems, install malware, and/or take personalinformation of other users. The personal and financial costs resultingfrom these security breaches can be quite high for organizations andindividuals.

Various security measures have been implemented in existing buildings,devices, and networks to hinder or prevent breaches. However, thesesecurity measures are typically separate and/or isolated relative toeach other. As a result, to successfully protect against a malicioususer, all the security measures would need to successfully detect andstop that user in their isolated contexts. If even one security measurefails, the malicious user may gain access to an environment (e.g.,building, device, or network) and damage that environment. Additionally,because these systems are separate from each other, a malicious user maybehave in a way that each system finds suspicious but not suspiciousenough to trigger an alert in each system. As a result, the user may beable to get away with malicious behavior.

This disclosure contemplates a security tool that improves security bygenerally detecting deviations from expected user behavior acrossdifferent contexts. The security tool maintains a hash indicatingexpected or approved behavior. Each time a user performs some action(e.g., enters a building, logs on to a network, turns on a device), aprofile for the user is updated to indicate the action that wasperformed. A hash of the profile is then generated and compared to thehash indicating expected or approved behavior. If the deviation betweenthe two hashes is sufficiently large, then appropriate action may betaken. For example, the user may be flagged for further review. Asanother example, the user may be prevented from accessing a building. Asyet another example, the user may be kicked off a network, restrictedfrom accessing certain applications, and/or prevented from using aparticular device. In this manner, the security tool can consider theactions of a user across different security contexts to determinewhether the user is a malicious user, which makes it more difficult fora malicious user to trick the security system into granting access tocertain environments.

According to an embodiment, an apparatus includes a memory and ahardware processor. The memory stores a first profile indicating actionstaken by a user and a first hash indicating expected behavior from theuser. The processor receives a first message indicating that the userhas entered a building and updates the first profile based on the firstmessage to produce a second profile. The processor generates a secondhash based on the second profile, calculates a first deviation betweenthe second hash and the first hash, and determines that the firstdeviation is below a threshold. The processor receives a second messageindicating that the user has requested access to a software applicationand updates the second profile based on the second message to produce athird profile. The processor also generates a third hash based on thethird profile, calculates a second deviation between the third hash andthe first hash, determines that the second deviation is above thethreshold, and in response to determining that the second deviation isabove the threshold, flags the user for increased security monitoringand denies the user access to the software application.

According to another embodiment, a method includes storing, by a memory,a first profile indicating actions taken by a user and storing, by thememory, a first hash indicating expected behavior from the user. Themethod further includes receiving, by a hardware processorcommunicatively coupled to the memory, a first message indicating thatthe user has entered a building and updating, by the hardware processor,the first profile based on the first message to produce a secondprofile. The method also includes generating, by the processor, a secondhash based on the second profile, calculating, by the processor, a firstdeviation between the second hash and the first hash, and determining,by the processor, that the first deviation is below a threshold. Themethod further includes receiving, by the processor, a second messageindicating that the user has requested access to a software applicationand updating, by the processor, the second profile based on the secondmessage to produce a third profile. The method also includes generating,by the processor, a third hash based on the third profile, calculating,by the processor, a second deviation between the third hash and thefirst hash, determining, by the processor, that the second deviation isabove the threshold, and in response to determining that the seconddeviation is above the threshold, flagging, by the processor, the userfor increased security monitoring and denying, by the processor, theuser access to the software application.

According to yet another embodiment, a system includes a building and asecurity tool including a memory and a hardware processor. The securitytool stores a first profile indicating actions taken by a user and afirst hash indicating expected behavior from the user. The security toolalso receives a first message indicating that the user has entered thebuilding and updates the first profile based on the first message toproduce a second profile. The security tool further generates a secondhash based on the second profile, calculates a first deviation betweenthe second hash and the first hash, and determines that the firstdeviation is below a threshold. The security tool also receives a secondmessage indicating that the user has requested access to a softwareapplication and updates the second profile based on the second messageto produce a third profile. The security tool further generates a thirdhash based on the third profile, calculates a second deviation betweenthe third hash and the first hash, determines that the second deviationis above the threshold, and in response to determining that the seconddeviation is above the threshold, flags the user for increased securitymonitoring and denies the user access to the software application.

Certain embodiments provide one or more technical advantages. Forexample, an embodiment improves security by preventing access to certainsecurity contexts based on information from other security contexts. Asanother example, an embodiment protects user information by hashing auser's behavior in making security decisions. Certain embodiments mayinclude none, some, or all of the above technical advantages. One ormore other technical advantages may be readily apparent to one skilledin the art from the figures, descriptions, and claims included herein.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure, referenceis now made to the following description, taken in conjunction with theaccompanying drawings, in which:

FIG. 1 illustrates an example system;

FIG. 2 illustrates an example security tool of the system of FIG. 1;

FIG. 3 illustrates an example security tool of the system of FIG. 1;

FIG. 4 shows a radial graph that illustrates an example operation of thesecurity tool of the system of FIG. 1; and

FIG. 5 is a flowchart illustrating a method for improving security usingthe system of FIG. 1.

DETAILED DESCRIPTION

Embodiments of the present disclosure and its advantages are bestunderstood by referring to FIGS. 1 through 5 of the drawings, likenumerals being used for like and corresponding parts of the variousdrawings.

Various security measures have been implemented in existing buildings,devices, and networks to hinder or prevent breaches. However, thesesecurity measures are typically separate and/or isolated relative toeach other. As a result, to successfully protect against a malicioususer, all the security measures would need to successfully detect andstop that user in their isolated contexts. If even one security measurefails, the malicious user may gain access to an environment (e.g.,building, device, or network) and damage that environment. Additionally,because these systems are separate from each other, a malicious user maybehave in a way that each system finds suspicious but not suspiciousenough to trigger an alert in each system. As a result, the user may beable to get away with malicious behavior.

This disclosure contemplates a security tool that improves security bygenerally detecting deviations from expected user behavior acrossdifferent contexts. The security tool maintains a hash indicatingexpected or approved behavior. Each time a user performs some action(e.g., enters a building, logs on to a network, turns on a device), aprofile for the user is updated to indicate the action that wasperformed. A hash of the profile is then generated and compared to thehash indicating expected or approved behavior. If the deviation betweenthe two hashes is sufficiently large, then appropriate action may betaken. For example, the user may be flagged for further review. Asanother example, the user may be prevented from accessing a building. Asyet another example, the user may be kicked off a network, restrictedfrom accessing certain applications, and/or prevented from using aparticular device. In this manner, the security tool can consider theactions of a user across different security contexts to determinewhether the user is a malicious user, which makes it more difficult fora malicious user to trick the security system into granting access tocertain environments. The security tool will be described in more detailusing FIGS. 1 through 4.

FIG. 1 illustrates an example system 100. As seen in FIG. 1, system 100includes one or more devices 110, a network 115, a building 116, asoftware application 117, and a security tool 120. Generally, system 100protects various systems from malicious users by considering thebehavior of user 105 in various security contexts. In this manner, thesecurity of network 115, building 116, and/or other softwareapplications is improved in certain embodiments.

Users 105 use devices 110 to interact with other components of system100. For example, user 105 may use device 110 to access network 115. Asanother example, user 105 may use device 110 to access or enter building116. As yet another example, user 105 may use device 110 to accessand/or execute various software applications 117. This disclosurecontemplates user 105 using device 110 to perform any suitable actionwithin system 100. A malicious user may use device 110 to accesscomponents of system 100 that the malicious user should not beaccessing. For example, the malicious user may impersonate a legitimateuser 105 by spoofing a device 110 of the legitimate user 105. Themalicious user may then use the spoofed device to access building 116,network 115, and/or other software applications 117 that the malicioususer may not otherwise be able to access. The malicious user may thendamage certain components of system 100. Such as, for example,sabotaging hardware components in building 116 and/or installing malwareon network 115.

Devices 110 include any appropriate device for communicating withcomponents of system 100 over network 115. For example, devices 110 maybe a telephone, a mobile phone, a computer, a laptop, a tablet, anautomated assistant, and/or a cash register. This disclosurecontemplates device 110 being any appropriate device for sending andreceiving communications over network 115. As an example and not by wayof limitation, device 110 may be a computer, a laptop, a wireless orcellular telephone, an electronic notebook, a personal digitalassistant, a tablet, or any other device capable of receiving,processing, storing, and/or communicating information with othercomponents of system 100. Device 110 may also include a user interface,such as a display, a microphone, keypad, or other appropriate terminalequipment usable by user 105. In some embodiments, an applicationexecuted by device 110 may perform the functions described herein.

Network 115 allows communication between and amongst the variouscomponents of system 100. For example, user 105 may use devices 110 tocommunicate over network 115. A malicious user may jeopardize thesecurity of network 115, such as, for example, by installing malware onnetwork 115. A security system may be placed on network 115 to preventaccess by a malicious user. However, if a malicious user were toimpersonate a legitimate user, the malicious user may gain access tonetwork 115 and damage network 115. Although the malicious user mayaccess network 115 in a suspicious manner (e.g., by logging on whenusers are typically asleep and/or by logging on through an unsecuredconnection), this behavior may not be sufficient to trigger an alert inthe security system installed on network 115. This disclosurecontemplates network 115 being any suitable network operable tofacilitate communication between the components of system 100. Network115 may include any interconnecting system capable of transmittingaudio, video, signals, data, messages, or any combination of thepreceding. Network 115 may include all or a portion of a public switchedtelephone network (PSTN), a public or private data network, a local areanetwork (LAN), a metropolitan area network (MAN), a wide area network(WAN), a local, regional, or global communication or computer network,such as the Internet, a wireline or wireless network, an enterpriseintranet, or any other suitable communication link, includingcombinations thereof, operable to facilitate communication between thecomponents.

Building 116 may be a physical structure that houses components ofsystem 100. For example, building 116 may house hardware components thatimplement network 115, devices 110, and/or security tool 120. Users 105may access building 116 using devices 110. For example, users 105 maypresent security credentials on device 110 and be given access tobuilding 116. If a malicious user were granted access to building 116,the malicious user may damage and/or sabotage the physical units housedwithin building 116. Security systems that control access to building116 may be installed to help prevent a malicious user from accessingbuilding 116. However, if a malicious user were to impersonate alegitimate user, then the malicious user may be granted access tobuilding 116. Although the malicious user may access building 116 in asuspicious manner (e.g., by entering building 116 on a weekend and/or byusing a back door to enter building 116), this behavior may not beenough to trigger an alert in the building's 116 security system.

The malicious user may also access software applications 117 to inflictdamage on other systems. Although the malicious user access and behavioron these software applications 117 may be suspicious (e.g., requestingaccess to an application that a legitimate user typically does notaccess and/or by performing functions that a legitimate user typicallywould not perform), this behavior may not be sufficient to trigger anysecurity that was installed to govern the access and behavior on thesesoftware applications.

In each of these examples, the malicious user may behave suspiciouslybut not suspicious enough to trigger an alert in each of the separatesecurity systems installed in the building, the network, and at thesoftware level. For example, the malicious user may enter building 116through a door that a legitimate user would not typically use. Asanother example, the malicious user may log on to network 115 at thetime when legitimate user typically does not log on to network 115. Asyet another example, the malicious user may request access to a softwareapplication that a legitimate user typically does not access. Each ofthese actions would be evaluated by a separate security system but maynot be enough for each security system to determine that the user ismalicious. Thus, the malicious user may be able to avoid detection andinflict damage to the components of system 100. However, it may be thecase that if the totality of the user's suspicious behavior wereconsidered, then the user would be determined to be malicious.

This disclosure contemplates a security tool 120 that considers thebehavior of a user 105 across different security contexts to determinewhether the user is a malicious user and presents a security risk. Ifthe user is a malicious user, security tool 120 can take remedial action(e.g., by preventing the user from accessing a building, kicking theuser off a network, restricting access to certain software application,preventing a device of the user from accessing the network and/orapplications). For example, security tool 120 may evaluate a user 105who has (1) accessed building 116, (2) logged onto network 115 using adevice 110, (3) requested access to an application 117, and (4)performed a function on device 110 and/or in application 117. As seen inFIG. 1, security tool 120 includes a processor 125 and a memory 130.This disclosure contemplates processor 125 and memory 130 beingimplemented to perform any of the functions of security tool 120described herein. In certain embodiments, security tool 120 generates aholistic picture of the behavior of user 105 and system 100 to determinewhether user 105 is a malicious user.

Processor 125 is any electronic circuitry, including, but not limited tomicroprocessors, application specific integrated circuits (ASIC),application specific instruction set processor (ASIP), and/or statemachines, that communicatively couples to memory 130 and controls theoperation of security tool 120. Processor 125 may be 8-bit, 16-bit,32-bit, 64-bit or of any other suitable architecture. Processor 125 mayinclude an arithmetic logic unit (ALU) for performing arithmetic andlogic operations, processor registers that supply operands to the ALUand store the results of ALU operations, and a control unit that fetchesinstructions from memory and executes them by directing the coordinatedoperations of the ALU, registers and other components. Processor 125 mayinclude other hardware that operates software to control and processinformation. Processor 125 executes software stored on memory to performany of the functions described herein. Processor 125 controls theoperation and administration of security tool 120 by processinginformation received from devices 110, network 115, and memory 130.Processor 125 may be a programmable logic device, a microcontroller, amicroprocessor, any suitable processing device, or any suitablecombination of the preceding. Processor 125 is not limited to a singleprocessing device and may encompass multiple processing devices.

Memory 130 may store, either permanently or temporarily, data,operational software, or other information for processor 125. Memory 130may include any one or a combination of volatile or non-volatile localor remote devices suitable for storing information. For example, memory130 may include random access memory (RAM), read only memory (ROM),magnetic storage devices, optical storage devices, or any other suitableinformation storage device or a combination of these devices. Thesoftware represents any suitable set of instructions, logic, or codeembodied in a computer-readable storage medium. For example, thesoftware may be embodied in memory 130, a disk, a CD, or a flash drive.In particular embodiments, the software may include an applicationexecutable by processor 125 to perform one or more of the functionsdescribed herein.

Security tool 120 stores one or more profiles 135. Each profile 135indicates actions taken by a user 105 in system 100. For example, aprofile 135 indicates a series of actions taken by a user 105. When thatuser 105 performs an additional action, that profile 135 is updated toinclude the newly performed action. For example, if a user 105 entersbuilding 116, profile 135 may be updated to indicate that user 105 hasaccessed building 116. The profile 135 may also indicate the time and/ora door through which the user 105 accessed building 116. As anotherexample, user 105 logs on to network 115, the profile 135 may be updatedto indicate a time, a username, and a password used by user 105 to logonto network 115. As yet another example, when the user 105 requestsaccess to a software application 117 or performs an action using thesoftware application 117, the profile 135 may be updated to indicate thetime and the action taken by the user 105 using the software application117 such as, for example, the request or the function performed.Security tool 120 may process the profile 135 when an update occurs toevaluate whether the user 105 is a malicious user and should beprevented access to certain features or functions within system 100.

Security tool 120 stores one or more hashes 140. Each hash 140 indicatesexpected behavior from a user 105. The hashes 140 may be compared withother hashes 140 to determine whether a user 105 is a malicious user. Byhashing the behavior of user 105, the identity and behavior of the useris protected. In other words, it may not be possible by looking at aparticular hash 140 to determine which user 105 is described by the hash140. Additionally, it may not be possible to determine the actualactions taken by the user 105. In this manner, hash 140 protects theidentity and behavior of legitimate users 105. In the example of FIG. 1,hash 140A is a hash indicating the expected behavior of a certain user105. When that user 105 performs an action in system 100, hash 140A iscompared with another hash 140 that indicates the user's 105 action todetermine whether the behavior is deviant.

Security tool 120 receives messages 145 that indicate the actions takenby user 105. In the example of FIG. 1, security tool 120 receives amessage 145A indicating an action taken by user 105. For example,message 145A may indicate that user 105 has accessed building 116 or isattempting to access building 116. Messages 145A may further indicatethat user 105 has accessed building 116 at a particular time through aparticular door.

In certain embodiments, security tool 120 may apply a weight 160A to theaction indicated by message 145A. If the action indicated by message145A typically presents a threat to system 100, then weight 160A may behigh. On the other hand, if the action indicated by message 145A istypically safe conduct, then weight 160A may be low. By using weight160, security tool 120 may appropriately judge the actions taken by auser 105 to evaluate whether user 105 is a malicious user.

Security tool 120 updates profile 135 to indicate the action taken byuser 105. In the example of FIG. 1, security tool 120 updates a profile135 with the action indicated by message 145A to produce a profile 135A.Profile 135A may indicate the actions taken by user 105 and the actionindicated by message 145A (e.g., that user 105 has accessed building 116at a particular time, through a particular door). Security tool 120 maythen evaluate profile 135A to determine if user 105 is a malicious user.

Security tool 120 hashes profile 135A to generate hash 140B. Securitytool 120 compares hash 140B with hash 140A. As described above, hash140A indicates expected behavior from user 105. Security tool 120determines a deviation 145A between hash 140A and hash 140B. Deviation145A may indicate whether user 105 is a malicious user. For example, ifthe behavior indicated by message 145A deviates from the expectedbehavior of user 105, then deviation 145A may indicate that user 105 isa malicious user. Using the previous example, if user 105 does nottypically access building 116 at the time indicated by message 145A orif user 105 does not typically access building 116 through the doorindicated my message 145A then deviation 145A may be large. On the otherhand, if user 105 typically accesses building 116 at the time indicatedby message 145A or if user 105 typically accesses building 116 throughthe door indicated by message 145A then deviation 145A may be small. Asyet another example, if security tool 120 determines that accessingbuilding 116 is not a significant indicator of whether user 105 is amalicious user, then weight 160A may be small thus resulting indeviation 145A being small even if user 105 accessing building 116 at aparticular time, through a particular door, deviates from the typicalbehavior of user 105.

Security tool 120 compares deviations 145 to threshold 150 to determinewhether a user 105 is a malicious user. For example, if deviation 145Aexceeds threshold 150, then security tool 120 may determine that user105 is a malicious user. In some embodiments, threshold 150 may be onestandard deviation such that if deviation 145A deviates from expectedbehavior by one standard deviation, then security tool 120 determinesthat user 105 is a malicious user.

Security tool 120 determines action 155 to take in response to thecomparison between deviation 145 and threshold 150. In the example ofFIG. 1, security tool 120 determines an action 155A based on thecomparison of deviation 145A and threshold 150. For example, if securitytool 120 determines that deviation 145A exceeded threshold 150, thensecurity tool 120 may determine that user 105 is a malicious user andthat user 105 should be prevented from accessing building 116. Thus,action 155A may need to prevent user 105 from entering building 116. Onthe other hand, if deviation 145A does not exceed threshold 150, thensecurity tool 120 may determine action 155A to allow the user 105 accessto building 116.

Security tool 120 may continue monitoring the behavior of user 105 indifferent security contexts to determine whether user 105 is a malicioususer. Security tool 120 receives a second message 145B indicatinganother action taken by user 105. For example, message 145B may indicatethat user 105 has logged onto network 115 at a particular time usingcertain login credentials. As another example, message 145B may indicatethat user 105 has requested access to a particular software application.As described previously, security tool 120 may apply a weight 160B tothe action indicated by message 145B. Security tool 120 may updateprofile 135A with the action indicated by message 145B to produceprofile 135B. Thus, profile 135B includes the action indicated bymessage 145A and the action indicated in message 145B. Security tool 120then generates a hash 140C using profile 135B. Security tool 120 thencompares hash 140C to hash 140A to determine deviation 145B. In thismanner, security tool 120 considers the totality of the users 105behavior in determining whether the user 105 is a malicious user.

Security tool 120 compares deviation 145B with threshold 150 todetermine an action 155B. For example, if security tool 120 determinesthat deviation 145B exceeds threshold 150, then security tool 120 maydetermine that user 105 is a malicious user and prevent user 105 fromaccessing building 116, logging onto network 115, and using a requestedsoftware application.

In this manner, security tool 120 can prevent a malicious user fromaccessing system 100 when the user's 105 behavior across differentsecurity contexts deviates too much from expected behavior. Using theexample of FIG. 1, deviation 145A may not exceed threshold 150 becauseaccess to building 116 may not be sufficient to indicate whether user105 is a malicious user. Thus, action 155A may be to allow user 105access to building 116. However, when user 105 logs onto network 115and/or request access to a particular software application 117, then thebehavior may deviate too far from the expected behavior of user 105.Thus, deviation 145B, which considered the user's access to building 116along with the user's access to network 115 and the software application117, may exceed threshold 150. Security tool 120 may take action 155B,which may be to trigger an alarm or an alert, and to prevent user 105from accessing building 116, network 115, and/or the requested softwareapplication 117. Thus, security tool 120 considers the behavior of user105 across the security of building 116, network 115, and/or softwareapplications 117 to determine whether user 105 is a malicious user,thereby improving the security of system 100 in certain embodiments.

This disclosure contemplates security tool 120 performing any suitableaction in response to determining that a deviation 145 exceeds threshold150. For example, security tool 120 may flag a user 105 for increasedsecurity monitoring. Additionally, security tool 120 may deny user 105access to other components of system 100, such as, for example, building116, network 115, and/or application 117. Security tool 120 may alsotrigger an alarm that alerts other users 105 of the security breach.

Although FIG. 1 shows security tool 120 performing certain steps ortaking certain actions in linearly or sequentially, this sequentialillustration is provided merely for clarity. Security tool 120 need notperform steps serially or sequentially but can perform steps inparallel. As a result, security tool 120 can receive information frommultiple sources and security contexts in parallel and process thisinformation in parallel to make determinations about a user's behavioron the fly. For example, security tool 120 may receive a message 145indicating that user 105 attempted to enter building 116 through a doorand while processing that message 145, security tool 120 may receiveanother message indicating that the user 105 has requested access to aparticular application 117. Security tool 120 may generate a hash 140that captures both of these actions taken by the user 105 to determinethe appropriate action 155 that should be taken.

FIG. 2 illustrates an example security tool 120 of the system 100 ofFIG. 1. In the example of FIG. 2, security tool 120 updates the hash 140that indicates expected behavior. In this manner, security tool 120 maybe updated to detect, allow, and/or prevent new behavior.

Security tool 120 receives a message 205 that indicates a certainaction. Message 205 may indicate that the action should be allowed ornot allowed. For example, message 205 may indicate that a user 105should be given access to a building. As another example, message 205may indicate that the user 105 should not be given access to a networkor application.

Security tool 120 may update a hash 140 based on the message 205. Hash140 may indicate expected behavior. Security tool 120 may update thathash 140 based on message 205 to produce hash 140D. Hash 140D mayindicate the new expected behavior indicated by message 205. Securitytool 120 may then use hash 140D to determine whether a user is amalicious user.

In the example of FIG. 2, security tool 120 generates a hash 140C fromprofile 130B. As described above, profile 130C and hash 140C mayindicate the actions taken by a user 105 who has accessed a building116, a network 115, and/or an application 117. Security tool 120 maycompare hash 140C and hash 140D to determine a deviation 145C. Securitytool 120 may then determine an action 155C by comparing deviation 145Cwith threshold 150.

Using the previous example, security tool 120 may have determined that auser was a malicious user based on the behavior indicated by profile135B and hash 140C. For example, the user's behavior in accessing abuilding, network, and/or application may have deviated too much fromexpected behavior. In response, security tool 120 may have flagged theuser, triggered an alarm, and/or prevented access to the building,network, and/or application. In the example of FIG. 2, security tool 120may have received message 205 that indicates that the user is not amalicious user and should be granted access to the building, network,and/or application. In response, security tool 120 updates the hash 140of expected behavior to produce hash 140D. Security tool 120 thenreevaluates the user by comparing hash 140C to 140D to determinedeviation 145C. Deviation 145C may not exceed threshold 150, and thus,security tool 120 may perform action 155C to allow the user access tothe building, network, and/or application. In this manner, security tool120 may be updated to consider and evaluate any behavior performed by auser in system 100.

FIG. 3 illustrates an example security tool 120 of the system 100 ofFIG. 1. Generally, FIG. 3 shows security tool 120 considering additionalbehavior performed by a user in system 100. Security tool 120 receives amessage 145C indicating behavior performed by a user in system 100.Message 145C may indicate that the user has accessed a particular devicein system 100. Security tool 120 applies a weight 160C to the actionindicated by message 145C. Security tool 120 then updates profile 135Bto include the behavior indicated by message 145C to produce profile135C. In this manner, profile 135C indicates the user's access to abuilding, a network, an application, and/or a device.

Security tool 120 generates hash 140E from profile 135C. Security tool120 then compares hash 140A and hash 140E to determine deviation 145D.If deviation 145D exceeds a threshold 150, security tool 120 maydetermine that the user is a malicious user. Security tool 120 mayfurther prevent the device from connecting to the network. If deviation145D does not exceed threshold 150, security tool 120 may determine thatthe user is not a malicious user. In response, security tool 120 takesan appropriate action 155D. If the user is a malicious user, action 155Dmay be to prevent the user from accessing the particular device. If theuser is not a malicious user, then security tool 120 may allow the useraccess to the device.

In this manner, security tool 120 may continue evaluating the totalityof the user's behavior in system 100 in determining whether the user isa malicious user even after an action 155 is taken.

FIG. 4 shows a radial graph 400 that illustrates an example operation ofthe security tool of the system of FIG. 1. Radial graph 400 is dividedinto four regions representing information about four different types ofactions taken by a user. The top left quadrant represents informationabout system activities. The top right quadrant represents informationabout computer activities. The bottom left quadrant representsinformation about behavioral biometrics activities. The bottom rightquadrant represents information about intelligence activities.

The circular nodes in graph 400 represent the hash values for expectedbehavior. Certain points in a quadrant are connected by a line or linesto indicate an acceptable deviation from the accepted behavior. Thetriangular nodes in graph 400 indicate hash values for actions taken bya user. Thus, in the example of FIG. 4, the user has performed an actionin the system activities category, such as for example, entering abuilding. That action is represented by triangular node 405. As seen ingraph 400, that action falls within the range of expected behavior ordoes not deviate too far from expected behavior. Thus, that action maybe allowed.

Triangular node 410 also indicates an acceptable action within theintelligence category. The action may be, for example, requesting accessto an application. As seen in FIG. 4, node 410 falls within the range ofexpected behavior in that category or does not deviate too far fromexpected behavior in that category. Thus, the action represented by node410 may be allowed. However, triangular node 415 does not fall withinthe range of expected behavior. For example, node 415 may represent theuser requesting to access sensitive information through the application.As a result, appropriate action may be taken when node 415 is evaluated.For example, the system may prevent the user from accessing thesensitive information. Moreover, the system may stop the user fromaccessing the application or from entering the building even thoughthose behaviors were previously found to be within the range of expectedbehavior.

Graph 400 may be updated as the user takes certain actions. For example,the circular nodes may move in graph 400 depending on updates receivedand actions taken by the user. Using the previous example, when the userrequests access to the sensitive information (represented by node 415),the circular nodes in the system activity category and the intelligencecategory may shift such that triangular nodes 405 and 410 are no longerwithin the range of expected behavior. This shift represents the userbeing prevented from accessing the application and the building.

This disclosure contemplates graph 400 including any appropriate numberof nodes representing any appropriate number of behaviors. The number ofnodes shown in graph 400 in FIG. 4 is for illustrative purposes.

FIG. 5 is a flowchart illustrating a method 500 for improving securityusing the system 100 of FIG. 1. In certain embodiments, security tool120 performs the steps of method 500. By performing method 500, securitytool 120 improves the security of the system, such as, for example, abuilding, a network, and/or an application.

In step 505, security tool 120 stores a first profile indicating actionstaken by a user. Security tool 120 stores a first hash indicatingexpected behavior from the user in step 510. In step 515, security tool120 receives a first message. The first message indicates a certainaction or behavior taken by the user. Security tool 120 updates thefirst profile based on the first message to produce a second profile instep 520. The second profile includes the action indicated by the firstmessage. In step 525, security tool 120 generates a second hash based onthe second profile. Security tool 120 calculates a first deviation instep 530 by comparing the second hash with the first hash.

Security tool 120 determines whether the first deviation exceeds thethreshold in step 535. If the first deviation exceeds the threshold,security tool 120 may determine that the user is a malicious user, andin step 540, flag the user for additional security monitoring and denythe user access to certain components of the system, such as a building,a network, and/or a software application. If the first deviation doesnot exceed the threshold, then security tool 120 may give the useraccess and proceed with method 500.

In step 545, security tool 120 receives a second message indicatinganother action taken by the user. Security tool 120 updates the secondprofile based on the second message to produce a third profile in step550. In step 545, security tool 120 generates a third hash based on thethird profile. Security tool 120 then calculates a second deviation bycomparing the third hash with the first hash in step 560. In step 565,security tool 120 determines whether the second deviation exceeds thethreshold. If the second deviation exceeds the threshold, security tool120 determines that the user is a malicious user and in step 570,security tool 120 flags the user for increased security monitoringand/or denies the user access to certain components of system 100, suchas, for example, a building, a network, and/or a software application.If the second deviation does not exceed the threshold, then securitytool 120 may give the user access and conclude method 500.

Modifications, additions, or omissions may be made to method 500depicted in FIG. 5. Method 500 may include more, fewer, or other steps.For example, steps may be performed in parallel or in any suitableorder. While discussed as security tool 120 performing the steps, anysuitable component of system 100, such as device(s) 110 for example, mayperform one or more steps of the methods.

Although the present disclosure includes several embodiments, a myriadof changes, variations, alterations, transformations, and modificationsmay be suggested to one skilled in the art, and it is intended that thepresent disclosure encompass such changes, variations, alterations,transformations, and modifications as fall within the scope of theappended claims.

What is claimed is:
 1. An apparatus comprising: a memory that stores: afirst profile indicating actions taken by a user; and a first hashindicating expected behavior from the user; and a hardware processorcommunicatively coupled to the memory, wherein the hardware processor:receives a first message indicating that the user has attempted to entera building; updates the first profile based on the first message toproduce a second profile; generates a second hash based on the secondprofile; calculates a first deviation between the second hash and thefirst hash; determines that the first deviation is below a threshold; inresponse to determining that the first deviation is below the threshold,allows the user access to the building; receives a second messageindicating that the user has requested access to a software application;updates the second profile based on the second message to produce athird profile; generates a third hash based on the third profile;calculates a second deviation between the third hash and the first hash;determines that the second deviation is above the threshold; and inresponse to determining that the second deviation is above thethreshold: flags the user for increased security monitoring; and deniesthe user access to the software application.
 2. The apparatus of claim1, wherein the hardware processor further: receives a third messageindicating that the user should be granted access to the softwareapplication; and updates the first hash based on the third message toproduce a fourth hash.
 3. The apparatus of claim 2, wherein the hardwareprocessor further: calculates a third deviation between the third hashand the fourth hash; determines that the third deviation is below thethreshold; and in response to determining that the third deviation isbelow the threshold, grants the user access to the software application.4. The apparatus of claim 1, wherein the hardware processor further:applies a first weight when updating the first profile based on thefirst message; and applies a second weight different from the firstweight when updating the second profile based on the second message. 5.The apparatus of claim 1, wherein the hardware processor further:receives a third message indicating that the user has accessed a device;updates the third profile based on the third message to produce a fourthprofile; generates a fourth hash based on the fourth profile; calculatesa third deviation between the fourth hash and the first hash; determinesthat the third deviation is above the threshold; and in response todetermining that the third deviation is above the threshold, preventsthe device from connecting to a network.
 6. The apparatus of claim 1,wherein the hardware processor further denies the user access to thebuilding in response to determining that the second deviation is abovethe threshold.
 7. The apparatus of claim 1, wherein the hardwareprocessor further updates the first hash based on a message indicatingan action taken by a second user different from the first user.
 8. Amethod comprising: storing, by a memory, a first profile indicatingactions taken by a user; storing, by the memory, a first hash indicatingexpected behavior from the user; receiving, by a hardware processorcommunicatively coupled to the memory, a first message indicating thatthe user has entered a building; updating, by the hardware processor,the first profile based on the first message to produce a secondprofile; generating, by the processor, a second hash based on the secondprofile; calculating, by the processor, a first deviation between thesecond hash and the first hash; determining, by the processor, that thefirst deviation is below a threshold; receiving, by the processor, asecond message indicating that the user has requested access to asoftware application; updating, by the processor, the second profilebased on the second message to produce a third profile; generating, bythe processor, a third hash based on the third profile; calculating, bythe processor, a second deviation between the third hash and the firsthash; determining, by the processor, that the second deviation is abovethe threshold; and in response to determining that the second deviationis above the threshold: flagging, by the processor, the user forincreased security monitoring; and denying, by the processor, the useraccess to the software application.
 9. The method of claim 8, furthercomprising: receiving, by the processor, a third message indicating thatthe user should be granted access to the building; and updating, by theprocessor, the first hash based on the third message to produce a fourthhash.
 10. The method of claim 9, further comprising: calculating, by theprocessor, a third deviation between the third hash and the fourth hash;determining, by the processor, that the third deviation is below thethreshold; and in response to determining that the third deviation isbelow the threshold, granting, by the processor, the user access to thesoftware application.
 11. The method of claim 8, further comprising:applying, by the processor, a first weight when updating the firstprofile based on the first message; and applying, by the processor, asecond weight different from the first weight when updating the secondprofile based on the second message.
 12. The method of claim 8, furthercomprising: receiving, by the processor, a third message indicating thatthe user has accessed a device; updating, by the processor, the thirdprofile based on the third message to produce a fourth profile;generating, by the processor, a fourth hash based on the fourth profile;calculating, by the processor, a third deviation between the fourth hashand the first hash; determining, by the processor, that the thirddeviation is above the threshold; and in response to determining thatthe third deviation is above the threshold, preventing, by theprocessor, the device from connecting to a network.
 13. The method ofclaim 8, further comprising denying, by the processor, the user accessto the building in response to determining that the second deviation isabove the threshold.
 14. The method of claim 8, further comprisingupdating, by the processor, the first hash based on a message indicatingan action taken by a second user different from the first user.
 15. Asystem comprising: a building; and a security tool comprising a memoryand a hardware processor, wherein the security tool: stores a firstprofile indicating actions taken by a user; stores a first hashindicating expected behavior from the user; receives a first messageindicating that the user has entered the building; updates the firstprofile based on the first message to produce a second profile;generates a second hash based on the second profile; calculates a firstdeviation between the second hash and the first hash; determines thatthe first deviation is below a threshold; receives a second messageindicating that the user has requested access to a software application;updates the second profile based on the second message to produce athird profile; generates a third hash based on the third profile;calculates a second deviation between the third hash and the first hash;determines that the second deviation is above the threshold; and inresponse to determining that the second deviation is above thethreshold: flags the user for increased security monitoring; and deniesthe user access to the software application.
 16. The system of claim 15,wherein the security tool further: receives a third message indicatingthat the user should be granted access to the building; and updates thefirst hash based on the third message to produce a fourth hash.
 17. Thesystem of claim 16, wherein the security tool further: calculates athird deviation between the third hash and the fourth hash; determinesthat the third deviation is below the threshold; and in response todetermining that the third deviation is below the threshold, grants theuser access to the software application.
 18. The system of claim 15,wherein the security tool further: applies a first weight when updatingthe first profile based on the first message; and applies a secondweight different from the first weight when updating the second profilebased on the second message.
 19. The system of claim 15, wherein thesecurity tool further: receives a third message indicating that the userhas accessed a device; updates the third profile based on the thirdmessage to produce a fourth profile; generates a fourth hash based onthe fourth profile; calculates a third deviation between the fourth hashand the first hash; determines that the third deviation is above thethreshold; and in response to determining that the third deviation isabove the threshold, prevents the device from connecting to a network.20. The system of claim 15, wherein the security tool further denies theuser access to the building in response to determining that the seconddeviation is above the threshold.